BlackEnergy
BlackEnergy Malware was first reported in 2007 as an
BlackEnergy 1 (BE1)
BlackEnergy's code facilitates different attack types to infect target machines. It is also equipped with server-side scripts which the perpetrators can develop in the command and control (C&C) server. Cybercriminals use the BlackEnergy bot builder toolkit to generate customized bot client executable files that are then distributed to targets via email spam and phishing e-mail campaigns.[4] BE1 lacks the exploit functionalities and relies on external tools to load the bot.[5] BlackEnergy can be detected using the YARA signatures provided by the United States Department of Homeland Security (DHS).
Key features
- Can target more than one IP address per hostname
- Has a runtime encrypter to evade detection by antivirus software
- Hides its processes in a system driver (syssrv.sys)
Command types
- DDoS attack commands (e.g. ICMP flood, TCP SYN flood, UDP flood, HTTP get flood, DNS flood, etc.)[1][clarification needed]
- Download commands to retrieve and launch new or updated executables from its server
- Control commands (e.g. stop, wait, or die)
BlackEnergy 2 (BE2)
BlackEnergy 2 uses sophisticated
Capabilities
- Can execute local files
- Can download and execute remote files
- Updates itself and its plugins with command and control servers
- Can execute die or destroy commands
BlackEnergy 3 (BE3)
The latest full version of BlackEnergy emerged in 2014. The changes simplified the malware code: this version installer drops the main
Plug-ins
- fs.dll — File system operations
- si.dll — System information, “BlackEnergy Lite”
- jn.dll — Parasitic infector
- ki.dll — Keystroke Logging
- ps.dll — Password stealer
- ss.dll — Screenshots
- vs.dll — Network discovery, remote execution
- tv.dll — Team viewer
- rd.dll — Simple pseudo “remote desktop”
- up.dll — Update malware
- dc.dll — List Windows accounts
- bs.dll — Query system hardware, BIOS, and Windows info
- dstr.dll — Destroy system
- scan.dll — Network scan
References
- ^ a b Nazario, Jose (October 2007). "BlackEnergy DDoS Bot Analysis" (PDF). Arbor Networks. Archived from the original (PDF) on 21 February 2020. Retrieved 17 April 2019.
- ^ a b "Updated BlackEnergy Trojan Grows More Powerful - McAfee Blogs". 14 January 2016.
- ^ "Details on August BlackEnergy PowerPoint Campaigns". 4 October 2014.
- ^ "BlackEnergy APT Malware - RSA Link". community.rsa.com. 23 March 2016.
- ^ doi:10.14236/ewic/ICS2016.7. Archived from the original(PDF) on 20 October 2016. Retrieved 5 November 2022.
- ^ a b c Joe Stewart (3 March 2010). "BlackEnergy Version 2 Threat Analysis". www.secureworks.com.
- ^ "ThreatSTOP Report: BlackEnergy" (PDF). threatstop.com. 7 March 2016. Archived (PDF) from the original on 28 May 2022. Retrieved 5 November 2022.
- ^ Cherepanov A., Lipovsky R. (7 October 2016). "BlackEnergy – what we really know about the notorious cyber attacks" (PDF).